The WMF vulnerability [LWN.net]

Image file formats continue to be fertile ground for anybody seeking security vulnerabilities. It seems that there is a tiny hole in the "Windows metafile" (WMF) implementation on just about every version of Windows. Exploits exist and are widespread; all it takes to be compromised is an attempt to view a malicious WMF file. Using Internet Explorer to view web page which includes the WMF file is sufficient; depending on who you believe, it may also be possible to deliver malicious files in email.

Quite a few sites hosting exploits have been found; by some estimates, hundreds of thousands of machines have already been compromised. Happily, Windows users can rely on Microsoft's recent commitment to security for a patch.

Unhappily, it seems that Microsoft, which has known about the vulnerability since sometime in December, will not have a fix available until January 10. Meanwhile, users are told to be careful out there and "avoid reading email from strangers." So Windows users will be left vulnerable to a severe vulnerability - with numerous exploits already happening - for a minimum of two weeks. It is tempting to insert a long, Microsoft-bashing rant here, but there is little point.

Instead, we'll point out a couple of things which might be worth knowing if you're concerned with security issues involving Windows in any way:

Firefox (on Windows) users are vulnerable too. Being compromised via Firefox is harder than with Internet Explorer; current versions of the browser require an explicit user action before a WMF file will be displayed. But requiring an extra click is a thin line of defense, at best.
There is an unofficial fix available for people who do not want to wait for Microsoft to get around to putting up a patch. By all accounts, the fix does exactly what it says it does, but, since it is a binary patch, it is hard to verify independently.

It is hard to imagine a vulnerability of this severity staying open for so long in the free software world. If distributors were slow in releasing a patch, the community would fill in quickly - with verifiable, source-available fixes. There is little doubt that, sooner or later, a serious vulnerability will threaten free software users; that is, unfortunately, the nature of software. But the nature of free software should keep that vulnerability from being left open for anywhere near so long.

(See also: the CERT advisory for the WMF vulnerability and this FAQ).

to post comments

SANS information about the WMF vulnerability and inofficial fix

Posted Jan 5, 2006 2:18 UTC (Thu) by jschrod (subscriber, #1646) [Link] (2 responses)

It is worth pointing out that SANS has reverse engineered the patch and tells that they reverse engineered it and it does just its job and nothing else.

In addition, SANS recommends that the DLL that interprets WMF files is unregistered, too. They say that only these two actions together will protect a Windows box. Check out the ISC Diary that has very good information. There you also find the patch as an (de-installable) MSI, a FAQ, and even slides for a presentation to management.

Yes, I know that this has nothing to do with Linux -- but many of us have to care for heterogenous environments, and the SANS guys did (and do) a very good and thorough job here to help us.

Cheers, Joachim

SANS information about the WMF vulnerability and unofficial fix

Posted Jan 5, 2006 4:41 UTC (Thu) by barryn (subscriber, #5996) [Link] (1 responses)

The patch actually installs its own source code (but not the source code for the installer, AFAIK) in a folder somewhere beneath \Program Files. (I think you actually get to choose the folder during installation, but I don't remember for sure.)

If I understand correctly, what SANS did was to verify that (a) the source code specifies doing the right thing and (b) the binary actually does what the source code says.

SANS information about the WMF vulnerability and unofficial fix

Posted Jan 5, 2006 10:49 UTC (Thu) by jschrod (subscriber, #1646) [Link]

You are right and I didn't make myself clear enough.

I was reacting to Jonathan's comment that the patch is not easy to verify, and thus implicitly questioned if one can install it without worries. I think he had a bad day at this time.
If anybody of you have to administer Windows system and that comment made you reconsider patch installation -- for the sake of the other systems on the Internet, go ahead, unregister shimgvw.dll, and install the patch.

The patch CAN be easily verified, and it HAS BEEN verified. It was even verified that (1) the binary matches the source and (2) the MSI installation code does only the installation and nothing else. You won't see such a thorough examination with any other code that you install today. If you don't trust ISC's verification, compile it yourself. (If you don't know what ISC is, go to http://isc.sans.org and learn about that treasure.)

For me, I trust the SANS/ISC guys more than I trust Microsoft's convoluted patch process.

Joachim

The WMF vulnerability

Posted Jan 5, 2006 4:02 UTC (Thu) by bk (guest, #25617) [Link]

I'd hardly call it a "tiny hole".

WMF is a relic from the early 1990s when software security was totally unknown to the major PC vendors. Not only is it essentially a macro format consisting of a list of graphics API calls, but it has the option of including actual binary executable code within the image format itself. It doesn't take a security expert to realize the potential implications of that.

Were MS actually as security conscious as they claim, they would've ripped out WMF support many years ago. Tragically for Windows users, they've left their customers in the lurch and now everybody is paying the price.

The WMF vulnerability

Posted Jan 5, 2006 6:11 UTC (Thu) by cventers (guest, #31465) [Link]

Days like these are like religious holidays for me. I remember my switch
to GNU/Linux on the desktop over a year ago, watch the chaos and
catastrophe as yet another Windows security hole is recorded (or yet
another DRM CD, or yet another Microsoft-sponsored DRM feature) and I'm
left with nothing but a huge sense of privilege and pride. Who knew that
the decision over what software you use could ever have been so exciting?

Public pressure has its effects...

Posted Jan 5, 2006 22:52 UTC (Thu) by roelofs (guest, #2599) [Link] (3 responses)

Unhappily, it seems that Microsoft, which has known about the vulnerability since sometime in December, will not have a fix available until January 10.

Apparently MS felt sufficient heat over this one that they've released their official fix five days early (i.e., today, 5 January). Windows users should check their "updates center" or whatever it's called.

Greg

Public pressure has its effects...

Posted Jan 5, 2006 22:59 UTC (Thu) by roelofs (guest, #2599) [Link]

Direct link, courtesy of the CERT page:

http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

Greg

Countereffects

Posted Jan 6, 2006 23:30 UTC (Fri) by man_ls (guest, #15091) [Link] (1 responses)

Now all people have to do is update their machines and keep them patched.

This leads to another interesting point: I've seen several Windows systems where the "security warning" to download patches was on permanently, and their owners just ignored it. You might think they are lazy, ignorant people without a clue about security. Well, of course they are when it comes to computers. After all, Windows is supposed to require no special knowledge.

Maybe with Mac OS X and Mandriva users it's similar, but I doubt it; Windows Update is horribly cumbersome. It wants to update the system all the time; if you let it on its own it will download huge patches, which is not always practical; and after it bothers you for hours, it always wants you to restart the machine.

In contrast, my Macs update seldom and have never required restarts AFAICT. Similarly for my Linux boxen; to be fair Sarge testing updates were heavy, but only kernel changes required rebooting. Now Sarge stable is delightfully quiet; and so it has been for SUSE, Mandriva, etc.

In short, the Microsoft upgrade treadmill is not working. Systems are left unpatched, and their owners cannot be held responsible.

Countereffects

Posted Jan 7, 2006 13:30 UTC (Sat) by ebirdie (guest, #512) [Link]

"In contrast, my Macs update seldom and have never required restarts"

My experience doesn't support that. I'd say (no stats collected) that 3 of 5 Apple's update require restart. This is the situation if you use only "Software Update" -tool. Another thing is that "Software Update" leaves you unnoticed if you haven't registered your account as Admin account. With a quick peek I couldn't find a knob to get it update automatically and unattented.

In general the infrastructure for getting systems and software they run updated leaves a lot to desire today. All commercial system vendors (MS, Apple, etc.) have their own update services more or less for a subset of their offerings and I haven't seen much progress toward other vendors getting their software updated thru them. Possibly the system vendors are asking too much money for the service. Thus admins of heterogeneous networks have many tools and services to update with (on OSX you have Apple's Software Update for Apple's software incl. system and apps, Microsoft Sofware Update for updating Office, Adobe has built in facilities as do Mozilla Foundation). The question is, how do I control all those if I have even modest number of mobile/remote workstations (OSX, Win etc) to admin and update security fixes to? Buy an admin software suite e.g Tivoli. ;-)

In this respect free software world's open and repository based approach outperforms far the commercial offerings thus far. And secondly a software update infrastructure is second in importancy in getting a security vulnerability fixed.